hook | ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff

Analysis

max time kernel
150s
max time network
152s
platform
android_x64
resource
android-x64-arm64-20240221-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240221-enlocale:en-usos:android-11-x64system
submitted
13-03-2024 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff.apk
Size

3.6MB
MD5

5d391a83a4c4f2e11bd9af3fce04118b
SHA1

1e373a16fa1e27c17ac42ec9e2f638ee5d8dfd11
SHA256

ed0558cfbfbbffab7bfc500f5a458bf08178ab1a9ee08b79c7e9c1edb21442ff
SHA512

d4ff82ca5f835f360e0b1f2c312537890054d21ea168e7cbd628ca85a762ae6d0f628a24609525f95b7f7c8293d30354a1fd8f16e86cb536e1f1d0ea44ae6a27
SSDEEP

98304:0ZQ6ESsYwdh29tDVnyFSQRH7JSaV2ShayXLe:JJPdQtVrCbL2ShaJ

Score

10^/10

hook collection evasion infostealer rat trojan

Malware Config

Extracted

Family

hook

http://127.0.0.1:3434

AES_key

Signatures

Hook
Hook is an Android malware that is based on Ermac with RAT capabilities.
rat trojan infostealer hook

Makes use of the framework's Accessibility service 2 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.tencent.mm

com.tencent.mm
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4407

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads